2 ⁄
CONTENTS
4INTRODUCTION
6 UNDERSTANDING PROTECTION TRENDS
12 ASSESSING RISK
16 RESPONDING TO ATTACKS
22 MEASURING BUSINESS IMPACT
26SUMMARY
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 3
INTRODUCTION
IN THIS REPORT:
HOW U.S. ENTERPRISES ARE
DEFENDING AGAINST DDOS ATTACKS
Neustar’s 2015 DDoS Attacks and Protection Report
spotlights the risks you face, and shows how companies
throughout North America are aggressively defending
themselves. The major change this year is the
significant increase in the use of hybrid solutions
(on-premises hardware plus cloud-based mitigation).
Over 500 executives and senior professionals—
IT managers and directors, CTO, CIOs and others—
participated in the research. Nearly three-quarters
of their companies earn over $1 billion
in annual revenue.
4 ⁄
Today, few businesses doubt that DDoS attacks
are a problem.
Most everyone knows the risks of distributed denial of
service (DDoS) attacks. Here are some fresh reminders
from this year’s research:
40%
40% of businesses say DDoS attacks
are a growing threat to their organization.
32%
Nearly 1 in 3 companies would lose over
$100K of revenue per hour.
33%
Named by 33% of companies, customer
support is the #1 area affected by
DDoS attacks.
85%
Most companies attacked are hit
multiple times, with 30% attacked
over 10 times annually.
26%
26% of companies attacked suffer loss
of customer trust and brand damage.
The question now: what mix of protection strategies
works best?
Companies in numerous industries are taking strong action,
and many feel they should do more. But many also struggle
with choosing the right course. They seek to invest in DDoS
protection that aligns with potential losses, their budgetary
constraints, and technical environments.
31%
31% of businesses now use hybrid DDoS
protection—a 55% YOY increase.
94%
When a DDoS outage would mean
peak-hour losses of over $100K, 94% of
financial companies rely on hybrid protection.
14%
Only 14% of businesses use CDNs
to block DDoS.
51%
More than half of businesses are investing more
in DDoS protection than they were a year ago.
As the following section shows, companies rely on a number
of DDoS protection options.
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 5
UNDERSTANDING
PROTECTION TRENDS
“As DDoS attack
characteristics become
more complex, organizations
are finding value in ‘hybrid’ DDoS
mitigation strategies, driving
new alliances and acquisitions
among complementary DDoS
mitigation solution providers.”
Gartner Research,
Competitive Landscape:
DDoS Mitigation Solutions, Oct. 2014
Sid Deshpande and Eric Ahlm, Authors
6 ⁄
More businesses are using hybrid DDoS defense.
While the majority of companies still use firewalls to combat attacks, a significant number also use mitigation appliances,
cloud-based third-party services, or hybrid solutions that combine both. Firewalls alone are not sufficient; during attacks,
they often create bottlenecks and accelerate outages.
In fact, over 30% have adopted a hybrid defense. (In the EMEA version of this same report, that figure is 35%.) With
always-on, on-premises hardware blocking attacks instantly, plus cloud-based traffic-scrubbing to handle larger
strikes, hybrid solutions offer the best of both worlds.
TYPES OF DDOS PROTECTION USED
Traditional firewall ISP-based
61%
51%
Switches and routers
49%
DDoS mitigation service
31%
Hybrid protection
DDoS mitigation appliance
26%
Web application firewall (WAF)
20%
14%
CDN
No protection
0%
*Multiple responses allowed.
3%
10%
20%
30%
40%
50%
60%
70%
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 7
Over 50% are investing more in DDoS protection versus last year.
And nearly 20% say their investment should be larger.
COMPARED TO A YEAR AGO, ARE YOU INVESTING MORE
OF YOUR ANNUAL BUDGET TO PROTECT AGAINST DDOS ATTACKS?
33%
Investing more
Investing more, but
should be greater
18%
Not investing more, though
DDoS a high priority
22%
Not investing more,
not a high priority
14%
13%
No budget for DDoS
0%
10%
20%
30%
Investment follows risk.
Among companies whose annual revenue exceeds $500M, 51% are investing more in DDoS protection.
14% of businesses with revenues at these levels and who were attacked in 2014 experienced malware
or virus installation; of this subset, 65% are investing more than last year.
8 ⁄
40%
THE FUTURE OF MITIGATION:
A DDoS Expert Weighs In
As one of the world’s top authorities on DDoS and cyber
security, Neustar’s Rodney Joffe has advised the White
House and federal agencies. He shared his thoughts about
the future of DDoS mitigation:
“The use of website booter services, which lets anyone
launch a DDoS attack for as little as six dollars an hour—
has become a major source of DDoS attacks, with the sizes
dramatically jumping during 2014. As such, it has become
clear that that many companies are no longer able to
“go it alone” when it comes to fighting off these attacks.”
“At Neustar, we are working with both public and private
organizations to strengthen our cyber protection as a
nation. This includes working with the online community
to develop industry-based mitigation technologies that
incorporate mechanisms to distribute attack source
information into ISPs, so they can squelch the attacks
closer to the source. We also need to improve visibility and
understanding of activities in the criminal underground,
so their command and control structures can be disabled
rapidly. Finally, it’s important to improve attribution and
law enforcement actions to identify perpetrators and bring
them to justice.”
“These improvements won’t happen overnight or
solve everything, but they could make a significant,
positive difference.”
Rodney Joffe
Neustar Senior Vice President
and Fellow
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 9
A Lesson from the Financial Services Sector:
USING THE BEST OF THE BEST
TO FIGHT THE WORST OF THE WORST
WHAT’S AT STAKE?
Financial companies are a prime DDoS
target. Attackers sometimes take aim
at banks to make a political or social
statement, for example, the European
Cyber Army attacks on major U.S. banks
in early 2014. Also last year, the Federal
Financial Institutions Examination
Council (FFIEC) issued a set of DDoS
protection steps for the industry to take.
10 ⁄
43%
INVEST IN HYBRID DDoS PROTECTION
within the financial services industry.
94%
USE HYBRID WHEN BIG REVENUE IS ON THE LINE
When a DDoS outage would result in peak-hour
losses of over $100K, 94% of financial companies
choose a hybrid solution.
WHY? FASTER DETECTION
& RESPONSE PAY OFF
STRONGER PROTECTION
FROM LARGER ATTACKS
Financial companies with hybrid protection act faster to
block attacks. Always-on hardware detects and mitigates
immediately, even while security teams are confirming
DDoS events.
With cloud capacity in the mix, financial companies
with hybrid protection are poised to block larger attacks.
Fifty percent of those able to measure attack size reported
attacks of 5 Gbps or more.
6+
88% Detect attacks
in less than 2 hours, versus
77% of respondents overall.
72% Respond to attacks
in less than 2 hours, versus
68% of respondents overall.
43% OF THOSE ATTACKED GET HIT 6+ TIMES A YEAR
The financial sector has little choice but to be prepared.
THE BOTTOM LINE:
The financial services industry is balancing risk, impact, and investment in
DDoS mitigation. Abundant data exists to make strong business cases for
DDoS protection investments.
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 11
ASSESSING RISK
12 ⁄
40% say DDoS attacks
are a growing threat to
their organization.
In fact...
Of those who say DDoS attacks are a smaller threat now, 46% are still investing more in protection compared to last
year. This clearly indicates that organizations are more educated and committed in their approach to combating
DDoS attacks. Awareness and action have moved beyond the IT department, all the way up to the C-suite.
The financial risk is great. For every hour their sites are down during peak business,
32% of companies would lose over $100K. Over 10% would lose $1M+.
HOURLY REVENUE LOSSES DUE TO OUTAGES AT PEAK TIMES
18%
Less than $25K
5%
$29K-$49K
6%
$50K-$99K
8%
$100K-$249K
6%
$250K-$499K
7%
$500K-$1M
11%
$1M+
39%
Don't know
0%
10%
20%
30%
40%
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 13
A Lesson from One Gaming Company:
WHEN LIFE TURNED INTO A WAR GAME,
THEY GOT MAX PROTECTION
Last year, few industries felt the sting of DDoS attacks like the video gaming industry,
which suffered widely publicized outages.
Let’s put one (unnamed) gaming company under the microscope. Were they barraged
like their industry neighbors? If so, what did they invest in to defend themselves?.
HOW MANY TIMES WAS
THE COMPANY ATTACKED?
WHAT WERE THE MAJOR IMPACTS?
In its research responses, the company said
it suffered ALL of these impacts:
So often they lost count.
WHAT WAS THE SIZE
OF A TYPICAL ATTACK?
10-19 Gbps
plenty big
14 ⁄
HOW MUCH REVENUE
WAS AT RISK DURING
PEAK TIMES?
$100-250K per hour.
-
-
-
-
Damage to brand/customer trust
Diminished call center efficiency
Slower customer service
Undermined online marketing
HOW’S THAT WORKING OUT?
- Most attacks detected within 1 hour
IS THE COMPANY INVESTING
MORE IN DDOS PROTECTION
THAN A YEAR AGO?
Absolutely, in proportion
to threats.
WHAT DDOS PROTECTION
SOLUTIONS IS THE COMPANY
INVESTING IN?
Pretty much everything:
- Hybrid solution
- Firewall ISP-based prevention
(blackholing)
-WAF
-CDN
- Most attacks responded to within
6-12 hours; below industry average,
but explained perhaps by the sheer
number and size of attacks and
constant disruptions they caused
- Longest attack lasted 1-2 days
THE BOTTOM LINE:
In an industry under siege, this company anchors their defenses with hybrid and,
just to be sure, layers in other solutions.
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 15
RESPONDING
TO ATTACKS
16 ⁄
45% of businesses
take more than 1 hour
to detect a DDoS attack.
After detection,
51% take more than
an hour to respond.
ATTACK DETECTION AND RESPONSE TIMES
60%
50%
54%
RESPONSE TIMES
ATTACK DETECTION
49%
40%
30%
23%
20%
20%
20%
11%
10%
8%
9%
0%
Less than
an hour
1-2 hours
3-5 hours
6-12 hours
2%
2%
1%
1%
12-14 hour
More than
a day
Among companies surveyed, 31% of their longest attacks
lasted more than a day. 13% lasted over 3 days.
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 17
Most companies that are attacked are hit multiple times. Most attacks are large enough to
disable sites with little or no protection. These realities are driving heavier investments in cloud
or hybrid mitigation. Again, companies with hybrid solutions detect and respond to attacks faster
while offering the bandwidth to counter large attacks.
ATTACK FREQUENCY
Among companies attacked in 2014
Once
ATTACK SIZE IN BANDWIDTH
Among companies attacked in 2014
17%
Less than 500 Mbps
15%
9%
500-999 Mbps
27%
2-5 times
10%
1.0-4.9 Gbps
6-10 times
10%
About every month
7%
5.0-9.9 Gbps
5%
10.0-19.9 Gbps
14%
3%
20.0-49.9 Gbps
About every week
7%
Lost count
50-100 Gbps
9%
0%
10%
100+ Gbps
20%
Some companies were unable to pinpoint attack frequency.
18 ⁄
2%
30%
1%
0%
5%
10%
15%
Some companies were unable to pinpoint attack size.
20%
When attacked, 64% of businesses
use more than 6 staffers to mitigate.
In fact, 39% use more than 10. Of course,
attackers count on this—the more people
focused on a DDoS attack, the fewer eyes
watching for other threats like malware or
virus installation.
MANPOWER REQUIRED
2-5
staffers
36%
25%
6-10
staffers
10+
staffers
0%
39%
10%
20%
30%
40%
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 19
A Lesson from the Tech Sector:
HYBRID IS NOW THEIR #2
MOST POPULAR DDOS PROTECTION
No wonder. Technology companies that get attacked tend to get smacked repeatedly. They’re also more likely to
lose big during outages—many risk losses of a quarter million dollars per hour or more during peak business.
Types of Protection Tech Companies Use
Firewalls
53%
Hybrid solutions
40%
DDoS mitigation service
16%
DDoS mitigation appliance
12%
CDN
11%
WAF
5%
*Multiple responses allowed.
20 ⁄
OVERALL, THE INDUSTRY IS INCREASING
ITS DDOS PROTECTION INVESTMENT.
51% are investing more than they did
a year ago in various types of DDoS protection.
Here’s why the tech sector is embracing best-of-breed hybrid:
44%
65%
6+
47%
$250K
65% of tech companies attacked
are targeted 6+ times a year.
Nearly half of all tech companies
attacked would lose $250K+ per
hour if their sites went down
during prime time.
Nearly half of all tech companies
attacked experienced a data breach.
THE BOTTOM LINE:
Dealing with a precarious mix of online risk and threats, tech companies not only
defend with traditional firewalls but are quickly embracing hybrid as the gold standard.
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 21
MEASURING
BUSINESS IMPACT
22 ⁄
Following DDoS-related
data breaches, 23% of
companies report loss
of customer trust and
damage to the brand.
In “smokescreen” attacks DDoS is just a distraction.
The real objective is installation of malware and theft.
RESULTS OF DDOS-RELATED DATA BREACHES
Loss of customer trust/
damage to brand
23%
Malware or virus
installed/activated
14%
7%
Customer data theft
3%
Financial theft
2%
Loss of intellectual property
0%
10%
5%
15%
20%
25%
Some companies breached could not pinpoint impact.
Security and IT absorb the greatest DDoS-related cost increases.
But areas strongly impacted by DDoS are found throughout the enterprise.
DEPARTMENTS WITH GREATEST
DDOS-RELATED COST INCREASES (Scale of 1 to 5)
Security
3.72
IT
Customer trust/
brand damage
3.22
Customer support
Revenue
2.83
Marketing
Data theft
2.33
0
1
2
26%
13%
Online marketing
2.85
Call center
33%
Customer support
3.39
Risk management/
compliance
AREAS MOST IMPACTED BY DDOS
7%
8%
13%
Other
3
4
5
0%
10%
20%
30%
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 23
40%
A Lesson from the Retail Sector:
REPEAT ATTACKS SPUR
HYBRID ADOPTIONS
In retail, most companies are attacked repeatedly.
Most retailers also have high levels of online revenue risk.
73%
57%
LIGHTNING OFTEN STRIKES MORE THAN TWICE.
BIG TARGETS ARE FREQUENT TARGETS.
73% of retailers attacked in 2014 were hit multiple times.
57% of retailers with $1B+ in annual
revenues were attacked multiple times.
24 ⁄
38%
46%
31%
A LOT TO LOSE.
46% of retailers attacked
had annual revenues of $1B+.
TO LOWER RISK, RETAILERS USE HYBRID
PROTECTION AT AN ABOVE-AVERAGE RATE:
38% HYBRID ADOPTION.
The cross-industries average: 31%
THE BOTTOM LINE:
Faced with recurring attacks and substantial revenue to protect,
retailers are adopting hybrid solutions at a brisk clip.
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 25
SUMMARY
5 KEY TAKEAWAYS FROM THIS REPORT
1. Acceptance of Threat: Most U.S. businesses are
aware that the DDoS threat is real—nearly 1 in 3
would lose at least $100K due to a DDoS outage
during peak business.
2. Increasing Investment: over 50% are investing
more in protection than a year ago.
3. Hybrid Strategies: More companies are layering
types of protection, with many (31%) adopting
hybrid models. In key industries like technology
and financial services, the adoption rate is higher
(40% or more).
4. Outperforming Attackers: Companies with
advanced mitigation solutions, such as hybrid
models, are detecting and responding to attacks
at a faster-than-average rate.
5. Business Impact: The impact of DDoS is felt
throughout the enterprise—33% of companies
say that customer support is the #1 problem.
TO LEARN MORE ABOUT DDOS PROTECTION, VISIT NEUSTAR.BIZ
26 ⁄
To mitigate DDoS attacks, Neustar blends expertise, proven responses, and
diverse technologies. Neustar SiteProtect, our DDoS mitigation service, offers
options to meet your level of risk, budget, and technical environment: cloud-based
protection; on-premise, always-on hardware; or a hybrid of both, fully managed by
us. SiteProtect is backed by the Neustar Security Operations Center, whose experts
bring years of experience to blocking every attack.
APRIL 2015 NEUSTAR DDOS ATTACKS & PROTECTION REPORT: NORTH AMERICA ⁄ 27
ABOUT NEUSTAR
Neustar, Inc. (NYSE:NSR) is the first real-time provider of cloud-based information
services and data analytics, enabling marketing and IT security professionals to promote
and protect their businesses. With a commitment to privacy and neutrality, Neustar
operates complex data registries and uses its expertise to deliver actionable, data-driven
insights that help clients make high-value business decisions in real time, one customer
interaction at a time. More information is available at www.neustar.biz.
© 2015 Neustar, Inc. All Rights Reserved.